In this post we will learn/test how the dynamic VLAN assignment works.

Basic Info:

Dynamic VLAN assignment: It pushes a wireless user into a specific VLAN based on his identity. This task of assigning users to a specific VLAN is handled by a RADIUS authentication server (i.e. ACS).

It’s a type of identity networking. It allows us to have single SSID, but allows specific users to use different VLAN attributes based on the user credentials.

This task of assigning users to a specific VLAN is handled by a RADIUS authentication server (ACS 5.2 in my case). This can be used, for example, to allow the wireless host to remain on the same VLAN as it moves within a campus network.

As a result, when a client attempts to associate to a LAP registered with a controller, the LAP passes the credentials of the user to the RADIUS server for validation. Once the authentication is successful, the RADIUS server passes (IETF) attributes to the user. These RADIUS attributes decide the VLAN ID that should be assigned to the wireless client.

***In my post I am using a single SSID

My Topology:

Let’s take an Example:

We will create a SSID “XYZ” and assign a non-routed VLAN (99) or management VLAN to it.

Now we have Groups of employees in our company “Production, Admin and Sales”.

VLANs as per Roles.(Production – 13, Admin – 14, Sales – 17 )

Steps to Configuration:

Configure WLC

Configure ACS server

Verification

Configure WLC

We must configure the WLC so it can communicate with the RADIUS server in order to authenticate the clients.

We can customize under what conditions we will allow user access to the network and what authorization profile (attributes) we will pass once authenticated. In this post, we selected Location, SSID, Device Type, and Identity Group.

In this post we will learn about the AAA override feature which is used with ACS (Radius Server).

This AAA Override function used to configure for identity networking. It allows us to configure VLAN tagging, QoS and ACL for specific clients.

Basic Info:

By using this feature we can reduce or minimize WLANs and can provide or segregate network segmentation within the network.

IN this post we take an example especially for dynamic VLAN assignment. This feature allows a single SSID to serve multiple users as per their roles (as per their VLANs).

How it works:

Wireless client associates to the AP on specific WLAN.

Wireless Client start RADIUS authentication process.

When the wireless client authenticates successfully, the RADIUS server assign this client to a specific VLAN (as we configured on RADIUS server), regardless of the VLAN assigned to SSID the client is using on the AP. If the RADIUS server does not return any VLAN attribute for the wireless client, the client is assigned to the VLAN specified by the SSID mapped locally on the AP.

Limitation:

To apply an ACL we must disable & then enable the WLAN so that client must re-authenticate again otherwise ACL does not take effect.

If we don’t have ACL on WLC or put the wrong name, then the clients are not allowed to be authenticated.

In HREAP/Flexconnect local switching, Multicast is forwarded only for the VLAN that the SSID is mapped to and not to any overridden VLANs.

When the interface group is mapped to a WLAN and clients connect to the WLAN, the client does not get the IP address in a round robin fashion. The AAA override with interface group is supported.

AAA override is done at the RADIUS server.

On WLC, enable AAA Override parameter using the GUI or CLI. Enabling this parameter allows the controller to accept the attributes returned by the RADIUS server. The controller then applies these attributes to its clients.

Enable this feature on WLAN:

Via GUI:

Via CLI:

WLC > config wlan aaa-override enable <wlan-id>

In next post we will see how this function can be used with an example.

If WLC is configured with management users both locally & RADIUS server with the Management check box enabled. In this case, by default, when a user tries to login to the WLC, the WLC behaves in this manner:

First looks at the local management users. If the user exists in its local list, then it allows authentication for this user. If this user does not appear locally, then it looks to the RADIUS server.

Means WLC always takes precedence when compared to the RADIUS server.

Authentication Oder for management users on the WLC.

Security> Priority Order > Management User.

*** If LOCAL is selected as second priority, then the user will be authenticated using this method only if the method defined as the first priority (RADIUS) is unreachable.

Verification

To verify each account, we must login with different users and check it.

If we login with user (sandeeprw) then we will have full administrative access to the WLC.

Example: If we login with read only user (sandeepro) and want to modify something on WLC then this will appear:

In this post we will learn / see how there format looks like with an example. It’s very important to know these because in exam we may need to create a policy using this.

My topology:

Client~~~~~~~~~~~AP—————–Switch——————–WLC

AP Details:

Default Format:

Called-Station-ID: Normally Contains (1) the MAC address of the Access Point and (2) the SSID on which the wireless device is connecting. These 2 fields are separated by a colon. Example: “AA-BB-CC-DD-EE-FF:SSID_NAME”.